INAMOIBW and Other Trends from the 2016 RSA Conference Submission Review Process

In the coming weeks, the full RSA Conference agenda will be published (some great "early acceptance" sessions are already online), and it represents a carefully curated selection by the RSA Conference Program Committee of great speakers, critical topics, and interesting viewpoints. The curation process is very deliberate with industry experts reviewing each and every submission, debating the options, and developing compelling tracks.

In the course of this review process, we are able to collectively look at the "forest" of the submissions together, and several trends stand out. Many of these are very inter-related—it’s a domino effect, really. Here’s our top 10 list for 2016:

#1: Internet of Things. Last year we noted a huge uptick in submissions on this topic, and this year it moved front and center. We seem to have moved to the next stage of processing the challenge, moving beyond ovens and medical devices to parking meters, baby monitors, toasters, drones, smart watches, thermostat, toilets…you get the picture. While last year’s submissions tended to be "observational," this year we seem to have moved into the "solutioning" phase of the maturity curve, evidenced by a slew of new submitting companies—organizations that directly service end consumers and haven’t traditionally participated in our call-for-speaker process. There's a greater focus on the importance of security in the overall risk posture as companies bring new solutions to market, and organizations are dealing with more "things" being connected to the network. While we still anticipate rough roads ahead as organizations work to balance accessibility and transparency (and, let’s face it, the cool factor!) with security, privacy and risk tolerance, we are heartened to see substantial solutions-based conversations percolating and look forward to meaty conversations around Internet of Things across our agenda, including the Law track which will feature a strong panel exploring the liability implications of these potential catastrophes and a live hack of a professional drone.

#2: Industrial Control Systems and the Industrial Internet of Things. And everything that comes with it, including smart cities, pervasive sensing, digital control systems, SCADA, and the like. For whatever reason, ICS didn’t get much traction in past years’ submissions. As security practitioners, we know it’s important, but in the past, sessions focused on this just didn’t gain attention. Boy what a difference a year makes! At RSA Conference Abu Dhabi, had an entire track dedicated to Smart Cities and another focused on Critical Infrastructure, with several interesting sessions focused on ICS. We are dealing with the fact that many of the "things" coming alive and online, such as robots, sensors, building automation, are still based on old security protocols and approaches, and breaches here have the very real potential to trigger large-scale disasters. Related to this conversation, there was a sentiment of the merging of the role of operational technology (OT) and information technology (IT), whose traditionally distinct roles are being forced to work closely together to properly secure the environment as well as ensure the safety of people and protection of data. Attacks on Critical Infrastructure: Insights from the "Big Board" is an early accepted presentation that is focused in this area; look for other strong presentations as well as the full agenda is published.

#3: Encryption. It’s become cool again—and this isn't about another claim of "the year of PKI", but rather a whole new crop of ways of looking at and exploring encryption. This year we had an explosion of highly interesting, fresh conversations around encryption, including topics like preserving data sovereignty through encryption. Quantum computing is also generating interest, as organizations seem to be more earnest in their early stage exploration of opportunities here. Reacting to this trend, we blew out a new track focused entirely on Protecting Data & Applied Crypto.

#4: Artificial Intelligence and Machine Learning. We recognize the tremendous power to be harnessed with AI and machine learning—we see it at work in our organizations offensively and defensively—but we’re concerned that left unchecked, or poorly secured, this enabling power could be the greatest threat of all. We are also concerned, but intrigued, by automated approaches to proactive security and incident response. We seem to be at the front end of a larger discussion around the ethics, security, and privacy elements related to this new direction. Watch for some interesting sessions on this topic at RSA Conference, including Rise of the Hacking Machines.

#5: Crowdsourcing. From intelligence sharing to bug bounties to standards creation and beyond, submissions explored the "power of many." From a positive perspective, we recognize the same benefit that can be achieved with the guidance to vaccinate (remembering Scott Charney drawing a parallel to the CDC approach from the keynote stage in 2013). But we also recognize the threats that come with sharing in public, and remain anxious about the best way to do this. Several submissions focused on powerful open source activities, but some also explored the challenges that come with security when using open source code in a product, an area that appears to be growing in interest given the impact of some of these other trends.

#6: The Role of the Researcher. Amongst our Program Committee, we discussed this as a "coming of age" for the security industry as formal bug bounty programs butt heads with "sell to the highest bidder" to complete shutdown of any desire to have vulnerabilities disclosed. While looking back across the past 25 years of RSA Conference sessions, we seem to go through cycles of what we think about white hat hackers, however this year we seem to have reached a definite inflection point. Arguably the snowballing of this discussion began at last year’s RSA Conference and continued to grow across events throughout the year. There are many facets to this topic, and we look forward to continuing the discussion this year.

#7: Healthcare and Automotive. We put these industries together because they seem to be on parallel tracks at similar maturity points, perhaps due to the very public nature of many of the challenges faced by both (credit #6 above as well as #1?). Across submissions, we see that security is a household, personal issue; it is part of our daily lives. We had a wide range of submissions around both industries, focusing on everything from new vulnerabilities and hacks to legislative/policy directions to compliance measures that should be considered. A A Learning Lab will offer an interactive facilitated experience that explores automobility in the future.

#8: Security Meets the Board of Directors. Security has fully moved out of the back room, and is being valued as a business enabler and differentiator. We saw an even further shift to risk conversations vs compliance "coverage", including bridging the gap between threat intelligence and risk management. We also saw tremendous submissions around effective Board engagement and successful engagement across the C-Suite, from the CFO to CISO/CTO collaboration. You also want to talk about cyber insurance, which we attribute to bigger and bigger breaches. We see organizations continuing to explore and apply more and more frameworks, blank slating their approach to security all together and starting net new due to changed technology infrastructures, further valuing the context of the intelligence they are reviewing, and recognizing the different drivers and challenges of their diverse and changing workforce and work environments. The security of the whole ecosystem is continuing to evolve as we work to be proactive. We also seem to have a growing divide between practitioners and vendors—watch for a new Practitioner’s Dilemma half-track to address some of these issues and opportunities.

#9: Privacy and Legislative Volatility. We noted the increasing focus on privacy last year, and this year we saw a continued uptick. We saw a change to the tone of the privacy conversation as well, evolving to highlight the business enablement and benefits a strong focus on privacy can offer. Emerging technologies will offer different future perspectives. This year we will offer a half-track focused on privacy as well as an interactive focused Learning Lab. Concerns around legislative direction across the globe are always a factor, but appear to have increased this year. We see concerns around privacy, data governance, jurisdiction, proactive defense, and deception techniques and directions being taken. There will be agenda additions up until the week of Conference to best facilitate conversations in this ever-changing environment.

#10: INAMOIBW. A new acronym that defies pronunciation, but that deserves a call out of its own: "It’s not a matter of if but when." At least 56 submissions had this line in them, and some questioned if this "defeatist" mentality is healthy for our industry. It’s an interesting consideration.

Many more insights and perspectives can be gleaned from the submissions—this just brushes the surface. Dark Web rising, SDN maturing, bitcoin and crypto currencies (indeed a variety of payment approaches) being explored, fuzzing, ransomware, and unicorns—herds and herds of unicorns!—galloping through our submissions. Join Dr. Hugh Thompson and me as we delve deeper into these trends and others on Dec. 3 at 9 am PT as we explore this year’s word cloud for a visual view of RSA Conference 2016.

Upcoming Conferences

EMC2, EMC, RSA and their respective logos are registered
trademarks or trademarks of EMC Corporation in the
United States and other countries. All other trademarks
used herein are the property of their respective owners.